Data Privacy Policy

Below TolaData GmbH (“TolaData” or “we”) provides you with an overview of what personal data we process for what purpose and how we ensure the protection of that data.In section I. you can find information applicable in general. In section II. We explain the processing of personal data in the context of you visiting our websites (www.toladata.com, toladata.io, help.toladata.com) (“Website”). In section III. We explain the processing of personal data when subscribing to our services.Please read the following information regarding the privacy policy carefully. In case you have further questions, please do not hesitate to contact us at any time at datasecurity@toladata.com.

I. General Information

1. Who is responsible for processing of personal data and whom you can approach

3. What we process

We process personal data provided by you or generated by us.For further information, see sections II. and III.

4. For what purpose and on what legal basis do we process personal data

Generally, we process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) for various purposes. In principle, the following can be considered as the purposes of the processing: the processing for the initiation of contractual relationships and the performance of contracts (Art. 6 (1) lit. b GDPR), for the protection of legitimate interests (Article 6 (1) lit. f DSGVO), based on your consent (Article 6 (1) lit. a GDPR) and/ or statutory provisions (Art. 6 (1) lit. c GDPR).For further information, see sections II. and III.

5. Are you obligated to provide personal data

There is no legal or contractual obligation to provide us with personal data. We only ask you to provide us with the data necessary for our services. Without this personal data, we may not be able to offer you our services.

6. For how long do we process personal data

We process data only as long as it is necessary in relation to the initial specified, explicit and legitimate purpose.Additionally, we are subject to various filing and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Tax Code (AO). The deadlines for storage and documentation specified there are up to ten years.In light of possible legal claims, the processing period is also determined by statutory time limitations, which can be up to thirty years according to §§ 195 ff. of the German Civil Code (BGB), whereby the regular time limitation is three years.

7. Your Rights

Every data subject has the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). To exercise those rights, you can contact us under the contact information given in section I. 1. or 2.As far as the personal data is processed for the purpose of our legitimate interest according to Art. 6 (1) lit. f GDPR, you have the right to object according to Art. 21 GDPR. You can find further information regarding your right to object at the end of this Privacy Policy.In addition, if you are of the opinion that the processing of your personal data is unlawful, you have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR). This right to complain is without any prejudice to any other administrative or judicial remedy. The competent supervisory authority for TolaData is:Berliner Beauftragte für Datenschutz und Informationsfreiheit

8. External Links

On our Website we may link to other websites by third parties.Such websites by third parties are governed by the provisions and privacy policies of the respective third party offering the content behind those links. We do not actively check such links and external content unless required by applicable laws. If you discover wrong and/or inappropriate content please inform us, for example via email to datasecurity@toladata.com and we will delete and change such links immediately.Kindly notice that when you click these links, you may be connected to such external service and your data may be processed outside the European Economic Area (EEA).

9. Data Security

In order to ensure the best possible protection of your data, the Website is offered via a secure SSL connection.

II. Processing of personal data regarding our Website

1. Cookies

In order to offer you a convenient online service featuring numerous functions, our Website uses text files (“Cookies”). A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of our website.Processing of personal data through the use of cookies is based on Article 6 (1) lit. f GDPR. Purpose and our legitimate interest are improved functionality of our websites.

2. Access Data/ Server logfiles

We collect data about each visit of our Website (so-called server logfiles) (“Access Data”). Access Data includes the following:Name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, User’s operating system, referrer URL (the previously visited page), IP address and the requesting providerWhen using a mobile device Access Data also contains:Country code, language, device name, operating system and version nameWe use this Access Data for statistical analysis for the purpose of operation, security and optimization of our Website. We anonymize Access Data before processing it for statistical analysis. However, we reserve the right to check these Access Data retrospectively if there is a justified suspicion of illegal use based on concrete indications. This data is stored because this is the only way to prevent the misuse of our Website and Software and, if necessary, allow us to investigate any potential crimes committed. As a matter of principle, this data will not be passed on to third parties unless there is a legal obligation to pass it on or the transfer of data serves criminal prosecution purposes.This data processing is based on Art. 6 (1) f. GDPR and we wish to achieve the legitimate interests of stabilizing and improving our Website, quality insurance and fraud prevention.

3. Google Analytics

Our websites use Google Analytics, a web tracking tool by Google Inc. (hereafter: “Google”). Google Analytics uses cookies to analyze your use of our websites. The data created by the cookie is usually transferred to a server of Google in the USA and stored there.In case the anonymization of IP-addresses is active on a website, the user’s IP-address will be truncated inside the European Union or the European Economic Area. Only in exceptional cases the user’s full IP-address will be transmitted to a server of Google in the US and truncated there. IP-anonymization is active on our websites.On behalf of us, Google will process this data in order to analyze your use of our websites, to generate reports on website activity and to render further services regarding the use of our websites. The IP-address transmitted by your browser will not be associated with other data in possession of Google.You can prevent the storage of cookies by modifying your browser setting to decline cookies. Furthermore, you can prevent the collection and following procession of data by Google through this cookie by downloading a browser-plugin through the following link: https://tools.google.com/dlpage/gaoptout/.

You can also prevent the processing of your personal data through Google Analytics on our websites by clicking on this button:

An opt-out-cookie will be stored on your device. This will prevent further allocation of data through the Google Analytics cookie on our websites.Preventing storage of cookies may prevent you from taking full advantage of our websites.You can find further information about terms and conditions as well as data protection on https://www.google.com/policies/privacy/.The processing of personal data through Google Analytics is based on Article 6 (1) lit. f GDPR. Purpose and our legitimate interest are analysis of the use of our websites as well as improved functionality.

4. YouTube

We have included YouTube by Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA videos in our website, which are directly playable from our website. Without any action by you as User the YouTube Plugin is deactivated and therefore no data are transferred. If you wish view the video, you have to click the respective button first. Only with the click of the respective button a connection to YouTube will be set up and data transferred thereto. The Google Inc. will get the information that you have accessed the corresponding website of our online service. In addition, automatically collected Access Data are transmitted.Google Inc. processes the data collected about you via the Plugins, creates usage profiles and uses them for purposes of advertising and/ or market research. Such processing is carried out in particular for the presentation of needs-based advertisement and to inform other users of the social network about your activities on our website. You have a right to object to the formation of these user profiles, whereby you must contact the respective provider of the Plugin.This happens regardless of whether YouTube provides a user account that you are logged in to, or if there is no user account. When you’re logged in to YouTube, your data will be assigned directly to your account. If you do not wish to associate with your profile on YouTube, you must log out before activating the button.Google is certified according to the EU-US agreement “privacy shield”, https://www.privacyshield.gov. The “privacy shield” is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA.The data and privacy policy of YouTube can be found here: https://www.google.de/intl/de/policies/privacy/.Through the embedded videos, we offer you the opportunity to play YouTube videos directly on our site, so that we can improve the usability of our website and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6 (1) f. GDPR.

5. Social Networks and Social Plugins

The Website is connected to various social networks via “Social Plugins“.Without any action by you as User the Social Plugins are deactivated and therefore no data is transferred. If you wish to share for example a content, you have to click the respective button first. Only with the click of the respective button a connection to the respective social network will be set up and data transferred thereto. The provider of the Plugin will get the information that you have accessed the corresponding website of our online service. In addition, automatically collected Access Data are transmitted.The providers of Plugins process the data collected about you via the Plugins, create usage profiles and use them for purposes of advertising, market research and / or tailor-made design of their website. Such processing is carried out in particular for the presentation of needs-based advertisement and to inform other users of the social network about your activities on our website. You have a right to object to the formation of these user profiles, whereby you must contact the respective provider of the Plugin.The data collection by the respective provider of the Plugin is carried out regardless of whether you have an account with the provider and are logged while using the Plugin. If you are logged into your Social Media account, your collected data will be assigned directly to your existing account with the provider of the Plugin. For example, if you link the page, the Plugin provider also stores this information in your user account and shares it with your contacts publicly. We recommend that you log out regularly after using a social network, but especially before activating the Plugin.The use of social media plugins is based on Art. 6 (1) f. GDPR. Our legitimate interest is improved functionality of our website and enabling our visitors to share our content on social media.In detail, these are the following social networks:

a) Facebook

Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA or Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook“).Facebook is certified according to the EU-US agreement “privacy shield”, https://www.privacyshield.gov. The “privacy shield” is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA.The data and privacy policy of Facebook can be found here: https://www.facebook.com/privacy/explanation.

6. Contacting us

When contacting us (e.g. by email), we process your name, email address and any personal data disclosed in the message itself.The processing is based on Art. 6 (1) f. GDPR. Purpose and our legitimate interest is answering your enquiry and, if applicable, follow-up questions.

7. Signing up for a free trial

Via a contact form you can register for a free trial of our Software. We then process the following categories of personal data:– Master data (name of your organization, name of contact person, email address)– Additional data, should you choose to disclose it (phone number, website)The processing is based on Art. 6 (1) b. GDPR. Purpose is initiation of a contract and providing our services.

8. Newsletter

With our newsletter we inform you about our products and us.When registering for the newsletter, you have to provide an email address. In case of registration for the newsletter, we also store the date of registration as well as the user’s first and last name, if you choose to additionally disclose those.After registration, the User will receive an email to confirm the registration. The processing is based on your consent (Art. 6 (1) a. GDPR). Purpose of the processing is the distribution of our newsletter.

9. Data Subject rights management

We process your requests for information, correction, deletion, restriction of processing of personal data and data portability pursuant to the GDPR. In doing so we process the following personal data:– Master data– Privacy statements (consent to the processing of personal data, withdrawal of your consent, objections to the processing of personal data, statements asserting your rights of access, to rectification, erasure, restriction of processing, and data portability, including the information you provide us by asserting your rights)– All data or categories of data that are the subject of the request.The processing of personal data is based on Article 6 (1) lit. c GDPR. Purpose is an effective affected rights management.

10. Automated decision-making and profiling

We do not use automated decision-making. Regarding profiling, we use the tracking tool Google Analytics. For further information about our use of Google Analytics see section II. 3. – “Google Analytics”.

11. Who receives your personal data

In some cases we share your personal data with third party controllers (see Article 4 No. 7 GDPR). These are the following controllers:– Google Ads, Facebook Ads, Twitter, LinkedInWe use processors (see Article 4 No. 8 GDPR) that process personal data on our behalf. These include the following processors:

We use the subscription billing and recurring payments software by ChargeBee. Chargebee processes data for the purpose of managing payments and billings for us.

Chargebee Inc. is certified according to the EU-US agreement “privacy shield”, https://www.privacyshield.gov. The “privacy shield” is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA based on Art. 45 GDPR.

III. Processing of personal data in the context of a subscription to our services

This chapter describes additional processing to the processing described in section II – “Processing of Personal Data regarding our Website” in the context of a subscription to our services.

1. Subscribing to our services/ creating an admin account

If you choose to create an account for your organization (“Customer”) and use our Software we process the following categories of personal data:– Master data (name of your organization, name of contact person, email address)– Additional data, should you choose to disclose it (phone number, website)– Data relevant for payment (e.g. address, credit card number, tax number)The processing is based on Art. 6 (1) b. GDPR. Purpose is initiation and execution of our contract and providing our services.

2. Creating user accounts

Once the Customer is registered with our software, he can create user accounts for employees or other individuals involved in the Customer’s project. Regarding this, we process the following personal data of the users:– Master data (user name, email address)– Additional data, should you choose to disclose it (first name, last name, title)

3. Data you enter while using the Software (“Customer Data”)

While using our Software to manage your projects, you may enter personal data into our Software (“Customer Data”). Please keep in mind, that the Customer is the controller of processing of such personal data. We will only process such personal data as instructed by the Customer and as laid down in our Terms of Use and the Processing Agreement. Instructed processing usually includes anonymizing the personal data you enter into the Software and creating statistics based on anonymized Customer Data.

4. Analysis and improvement of the Software using anonymized Customer Data

We also process the anonymized Customer Data for internal purposes, especially the purpose of improving the software, evaluating our product and creating new best practice regarding our Software. We do not use Customer Data containing any personal data for these purposes.However, we do process master data regarding the Customer (i.e. name of organization, name of contact person)The processing is based on Art. 6 (1) f. GDPR. Purpose and our legitimate interest is improving our Software.

5. Marketing using anonymized Customer Data

We also use statistics based on anonymized Customer Data for marketing purposes, i.e. by displaying them publicly.The processing is based on Art. 6 (1) f. GDPR. Purpose and our legitimate interest is direct marketing.

6. Automated decision-making and profiling

We do not use automated decision-making and profiling regarding personal data.

7. Who receives your personal data

In some cases we share your personal data with third party controllers (see Article 4 No. 7 GDPR). These are the following controllers.We use processors (see Article 4 No. 8 GDPR) that process personal data on our behalf. These include the following processors:

We use the subscription billing and recurring payments software by ChargeBee. Chargebee processes data for the purpose of managing payments and billings for us.

Chargebee Inc. is certified according to the EU-US agreement “privacy shield”, https://www.privacyshield.gov. The “privacy shield” is an agreement between the European Union (EU) and the USA to ensure compliance with European data protection standards in the USA based on Art. 45 GDPR.

For any processes regarding payments we use the services of Stripe. Regarding any processing of payments, Stripe will use payment data for the purpose of managing the payments relating to our services.

Stripe Inc. is certified according to the EU-US agreement “privacy shield”, https://www.privacyshield.gov/welcome.

Our Software uses the ticketing and helpdesk online-tool “Freshdesk” by Freshworks. We use “Freshdesk” for the purpose of organizing the helpdesk and support services provided in connection with the Software.

Information about your right to object in accordance with Art. 21 General Data Protection Regulation (GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you on the basis of Art. 6 (1) lit. f GDPR (processing of personal Data based on a balancing of interests); this includes profiling based on those provisions (Art. 4 No. 4 GDPR).Should you decide to object the processing, we will stop to process personal data concerning you, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishment, exercise or defence of legal claims.You also have the right to object at any time to processing of personal data concerning you for the purpose of advertising; this also applies to profiling insofar as it is associated with advertising.Should you decide to object to the processing for advertising purposes, we will stop to process personal data concerning you for these purposes.The objection is not subject to any form. Ideally, it should be lodged at the bodies mentioned in section I. 1. and 2.